*** client-src/sendbackup-dump.c 2000/03/21 21:32:13 1.1 --- client-src/sendbackup-dump.c 2000/03/23 00:02:35 *************** *** 144,149 **** --- 144,150 ---- char *indexcmd = NULL; char level_str[NUM_STR_SIZE]; char *fstype = NULL; + int cryptout, compout; ap_snprintf(level_str, sizeof(level_str), "%d", level); *************** *** 152,168 **** NAUGHTY_BITS; ! if(compress) ! comppid = pipespawn(COMPRESS_PATH, &dumpout, dataf, mesgf, COMPRESS_PATH, #if defined(COMPRESS_BEST_OPT) && defined(COMPRESS_FAST_OPT) compress == COMPR_BEST? COMPRESS_BEST_OPT : COMPRESS_FAST_OPT, #endif (char *)0); - else { - dumpout = dataf; - comppid = -1; } /* invoke dump */ --- 153,178 ---- NAUGHTY_BITS; ! dumpout = dataf; ! cryptpid = -1; ! cryptout = -1; ! if(sencrypt) { ! cryptout = dumpout; ! cryptpid = pipespawn(ENCRYPT_PATH, &dumpout, cryptout, mesgf, ! ENCRYPT_PATH, ENCRYPT_OPT, (char *)0); ! } ! ! comppid = -1; ! compout = -1; ! if(compress) { ! compout = dumpout; ! comppid = pipespawn(COMPRESS_PATH, &dumpout, compout, mesgf, COMPRESS_PATH, #if defined(COMPRESS_BEST_OPT) && defined(COMPRESS_FAST_OPT) compress == COMPR_BEST? COMPRESS_BEST_OPT : COMPRESS_FAST_OPT, #endif (char *)0); } /* invoke dump */ *************** *** 360,365 **** --- 370,377 ---- aclose(dataf); aclose(mesgf); aclose(indexf); + if (compout >= 0) aclose(compout); + if (cryptout >= 0) aclose(cryptout); } static void end_backup(status) *** client-src/sendbackup-gnutar.c 2000/03/21 21:33:56 1.1 --- client-src/sendbackup-gnutar.c 2000/03/23 00:04:43 *************** *** 130,141 **** --- 130,153 ---- struct tm *gmtm; amandates_t *amdates; time_t prev_dumptime; + int cryptout, compout; fprintf(stderr, "%s: start [%s:%s level %d]\n", get_pname(), host, disk, level); NAUGHTY_BITS; + dumpout = dataf; + cryptpid = -1; + cryptout = -1; + if(sencrypt) { + cryptout = dumpout; + cryptpid = pipespawn(ENCRYPT_PATH, &dumpout, cryptout, mesgf, + ENCRYPT_PATH, ENCRYPT_OPT, (char *)0); + } + + comppid = -1; + compout = -1; if(compress) { #if defined(COMPRESS_BEST_OPT) && defined(COMPRESS_FAST_OPT) char *compopt; *************** *** 144,156 **** #else const char compopt[] = ""; #endif ! comppid = pipespawn(COMPRESS_PATH, &dumpout, dataf, mesgf, COMPRESS_PATH, compopt, (char *)0); dbprintf(("sendbackup-gnutar: pid %d: %s %s\n", comppid, COMPRESS_PATH, compopt)); - } else { - dumpout = dataf; - comppid = -1; } #ifdef GNUTAR_LISTED_INCREMENTAL_DIR --- 156,166 ---- #else const char compopt[] = ""; #endif ! compout = dumpout; ! comppid = pipespawn(COMPRESS_PATH, &dumpout, compout, mesgf, COMPRESS_PATH, compopt, (char *)0); dbprintf(("sendbackup-gnutar: pid %d: %s %s\n", comppid, COMPRESS_PATH, compopt)); } #ifdef GNUTAR_LISTED_INCREMENTAL_DIR *************** *** 443,448 **** --- 453,460 ---- aclose(dataf); aclose(mesgf); aclose(indexf); + if (compout >= 0) aclose(compout); + if (cryptout >= 0) aclose(cryptout); } static void end_backup(goterror) *** client-src/sendbackup.c 2000/03/21 21:34:37 1.1 --- client-src/sendbackup.c 2000/03/23 00:25:25 *************** *** 39,44 **** --- 39,45 ---- #define TIMEOUT 30 + int cryptpid = -1; int comppid = -1; int dumppid = -1; int tarpid = -1; *************** *** 67,72 **** --- 68,75 ---- backup_program_t *program = NULL; + int sencrypt; + /* local functions */ int main P((int argc, char **argv)); void parse_options P((char *str)); *************** *** 131,136 **** --- 134,140 ---- krb4_auth = strstr(str, "krb4-auth") != NULL; kencrypt = strstr(str, "kencrypt") != NULL; #endif + sencrypt = strstr(str, "sencrypt") != NULL; createindex = strstr(str, "index") != NULL; } *************** *** 142,147 **** --- 146,152 ---- char *bsd_opt = ""; char *krb4_opt = ""; char *kencrypt_opt = ""; + char *sencrypt_opt = ""; char *index_opt = ""; if(compress == COMPR_BEST) *************** *** 154,159 **** --- 159,165 ---- if(krb4_auth) krb4_opt = "krb4-auth;"; if(kencrypt) kencrypt_opt = "kencrypt;"; #endif + if(sencrypt) sencrypt_opt = "sencrypt;"; if(createindex) index_opt = "index;"; optstr = newvstralloc(optstr, *************** *** 163,168 **** --- 169,175 ---- bsd_opt, krb4_opt, kencrypt_opt, + sencrypt_opt, index_opt, estr ? estr : "", NULL); *************** *** 488,493 **** --- 495,501 ---- if(pid == comppid) return "compress"; if(pid == encpid) return "kencrypt"; if(pid == indexpid) return "index"; + if(pid == cryptpid) return "sencrypt"; return "unknown"; } *** client-src/sendbackup.h 2000/03/21 21:35:06 1.1 --- client-src/sendbackup.h 2000/03/21 21:42:40 *************** *** 76,78 **** --- 76,88 ---- #define COMPR_FAST 1 #define COMPR_BEST 2 + + #ifndef ENCRYPT_PATH + #define ENCRYPT_PATH "/local/bin/sst" + #ifdef ENCRYPT_OPT + #undef ENCRYPT_OPT + #endif + #define ENCRYPT_OPT "-celv" + /* #define ENCRYPT_OPT "-celddd" /* enable debugging messages */ + #endif + extern int sencrypt, cryptpid; *** server-src/amadmin.c 2000/03/21 21:45:12 1.1 --- server-src/amadmin.c 2000/03/21 21:53:16 *************** *** 1243,1248 **** --- 1243,1249 ---- break; } printf(" kencrypt %s\n", (dp->kencrypt? "YES" : "NO")); + printf(" sencrypt %s\n", (dp->sencrypt? "YES" : "NO")); printf(" holdingdisk %s\n", (!dp->no_hold? "YES" : "NO")); printf(" record %s\n", (dp->record? "YES" : "NO")); *** server-src/conffile.c 2000/03/21 21:46:07 1.1 --- server-src/conffile.c 2000/03/22 17:15:23 *************** *** 84,90 **** OPTIONS, PRIORITY, FREQUENCY, INDEX, STARTTIME, COMPRESS, AUTH, STRATEGY, SKIP_INCR, SKIP_FULL, RECORD, HOLDING, ! EXCLUDE, KENCRYPT, IGNORE, COMPRATE, /* tape type */ /*COMMENT,*/ LBL_TEMPL, FILEMARK, LENGTH, SPEED, --- 84,90 ---- OPTIONS, PRIORITY, FREQUENCY, INDEX, STARTTIME, COMPRESS, AUTH, STRATEGY, SKIP_INCR, SKIP_FULL, RECORD, HOLDING, ! EXCLUDE, KENCRYPT, SENCRYPT, IGNORE, COMPRATE, /* tape type */ /*COMMENT,*/ LBL_TEMPL, FILEMARK, LENGTH, SPEED, *************** *** 1019,1024 **** --- 1019,1025 ---- { "IGNORE", IGNORE }, { "INDEX", INDEX }, { "KENCRYPT", KENCRYPT }, + { "SENCRYPT", SENCRYPT }, { "MAXCYCLE", MAXCYCLE }, /* XXX - historical */ { "MAXDUMPS", MAXDUMPS }, { "OPTIONS", OPTIONS }, /* XXX - historical */ *************** *** 1098,1103 **** --- 1099,1108 ---- get_simple(&tmpval, &dpcur.s_kencrypt, BOOL); dpcur.kencrypt = (tmpval.i != 0); break; + case SENCRYPT: + get_simple(&tmpval, &dpcur.s_sencrypt, BOOL); + dpcur.sencrypt = (tmpval.i != 0); + break; case MAXCYCLE: get_simple((val_t *)&conf_maxcycle, &dpcur.s_maxcycle, INT); break; *************** *** 1185,1190 **** --- 1190,1196 ---- dpcur.skip_incr = dpcur.skip_full = 0; dpcur.no_hold = 0; dpcur.kencrypt = 0; + dpcur.sencrypt = 0; dpcur.ignore = 0; dpcur.index = 0; *************** *** 1206,1211 **** --- 1212,1218 ---- dpcur.s_skip_full = 0; dpcur.s_no_hold = 0; dpcur.s_kencrypt = 0; + dpcur.s_sencrypt = 0; dpcur.s_ignore = 0; dpcur.s_index = 0; } *************** *** 1261,1266 **** --- 1268,1274 ---- dtcopy(skip_full, s_skip_full); dtcopy(no_hold, s_no_hold); dtcopy(kencrypt, s_kencrypt); + dtcopy(sencrypt, s_sencrypt); dtcopy(ignore, s_ignore); dtcopy(index, s_index); } *************** *** 1509,1514 **** --- 1517,1523 ---- { "EXCLUDE-FILE", EXCLUDE_FILE }, { "EXCLUDE-LIST", EXCLUDE_LIST }, { "KENCRYPT", KENCRYPT }, + { "SENCRYPT", SENCRYPT }, { "SKIP-FULL", SKIP_FULL }, { "SKIP-INCR", SKIP_INCR }, { NULL, IDENT } *************** *** 1540,1545 **** --- 1549,1555 ---- dpcur.exclude_list = 1; break; case KENCRYPT: ckseen(&dpcur.s_kencrypt); dpcur.kencrypt = 1; break; + case SENCRYPT: ckseen(&dpcur.s_sencrypt); dpcur.sencrypt = 1; break; case SKIP_INCR: ckseen(&dpcur.s_skip_incr); dpcur.skip_incr= 1; break; case SKIP_FULL: ckseen(&dpcur.s_skip_full); dpcur.skip_full= 1; break; case INDEX: ckseen(&dpcur.s_index); dpcur.index = 1; break; *************** *** 2335,2340 **** --- 2345,2351 ---- if(dp->skip_full) printf(" SKIP-FULL"); if(dp->no_hold) printf(" NO-HOLD"); if(dp->kencrypt) printf(" KENCRYPT"); + if(dp->sencrypt) printf(" SENCRYPT"); /* an ignored disk will never reach this point */ assert(!dp->ignore); if(dp->index) printf(" INDEX"); *** server-src/conffile.h 2000/03/21 21:46:08 1.1 --- server-src/conffile.h 2000/03/21 21:53:17 *************** *** 112,117 **** --- 112,118 ---- int skip_full:1; int no_hold:1; int kencrypt:1; + int sencrypt:1; int ignore:1; int index:1; *************** *** 134,139 **** --- 135,141 ---- int s_skip_full; int s_no_hold; int s_kencrypt; + int s_sencrypt; int s_ignore; int s_index; } dumptype_t; *** server-src/diskfile.c 2000/03/21 21:46:09 1.1 --- server-src/diskfile.c 2000/03/21 21:53:18 *************** *** 293,298 **** --- 293,299 ---- disk->skip_full = dtype->skip_full; disk->no_hold = dtype->no_hold; disk->kencrypt = dtype->kencrypt; + disk->sencrypt = dtype->sencrypt; disk->index = dtype->index; skip_whitespace(s, ch); *************** *** 407,412 **** --- 408,414 ---- static char *str = NULL; char *auth_opt = ""; char *kencrypt_opt = ""; + char *sencrypt_opt = ""; char *compress_opt = ""; char *record_opt = ""; char *index_opt = ""; *************** *** 422,427 **** --- 424,430 ---- auth_opt = "krb4-auth;"; if(dp->kencrypt) kencrypt_opt = "kencrypt;"; } + if(dp->sencrypt) sencrypt_opt = "sencrypt;"; switch(dp->compress) { case COMP_FAST: *************** *** 450,455 **** --- 453,459 ---- return vstralloc(";", auth_opt, kencrypt_opt, + sencrypt_opt, compress_opt, record_opt, index_opt, *** server-src/diskfile.h 2000/03/21 21:46:10 1.1 --- server-src/diskfile.h 2000/03/21 21:53:18 *************** *** 72,77 **** --- 72,78 ---- int skip_full:1; /* fulls done externally ? */ int no_hold:1; /* don't use holding disk ? */ int kencrypt:1; + int sencrypt:1; int index:1; /* produce an index ? */ int spindle; /* spindle # - for parallel dumps */ int inprogress; /* being dumped now? */ *** server-src/dumper.c 2000/03/21 21:46:10 1.1 --- server-src/dumper.c 2000/03/21 21:53:19 *************** *** 112,117 **** --- 112,128 ---- int amanda_port; int compresspid, indexpid, killerr; + int decrypt, cryptpid; + + #ifndef DECRYPT_PATH + #define DECRYPT_PATH "/local/bin/sst" + #ifdef DECRYPT_OPT + #undef DECRYPT_OPT + #endif + #define DECRYPT_OPT "-slv" + /* #define DECRYPT_OPT "-slddd" /* for debugging messages */ + #endif /* DECRYPT_PATH */ + /* local functions */ int main P((int main_argc, char **main_argv)); static cmd_t getcmd P((void)); *************** *** 146,151 **** --- 157,163 ---- srvcompress = srvcomp_fast; else srvcompress = srvcomp_none; + decrypt = (strstr(options, "sencrypt;") != NULL); } void service_ports_init() *************** *** 894,899 **** --- 906,912 ---- fd_set readset, selectset; struct timeval timeout; int outpipe[2]; + int netpipe[2]; int header_done; /* flag - header has been written */ char *indexfile = NULL; char level_str[NUM_STR_SIZE]; *************** *** 951,956 **** --- 964,1010 ---- goto failed; } + /* insert pipe in the *READ* side, if decryption is desired */ + cryptpid = -1; + if (decrypt) { + int tmpfd; + + tmpfd = datafd; + if(socketpair(AF_UNIX, SOCK_STREAM, 0, netpipe) == -1) + error("socketpair: %s", strerror(errno)); + datafd = netpipe[0]; + if(datafd < 0 || datafd >= FD_SETSIZE) { + aclose(netpipe[0]); + aclose(netpipe[1]); + errstr = newstralloc(errstr, "descriptor out of range"); + errno = EMFILE; + goto failed; + } + switch(cryptpid=fork()) { + case -1: + errstr = newstralloc2(errstr, "couldn't fork: ", strerror(errno)); + goto failed; + default: + aclose(netpipe[1]); + aclose(tmpfd); + break; + case 0: + aclose(netpipe[0]); + /* child acts on stdin/stdout */ + if (dup2(netpipe[1],1) == -1) + fprintf(stderr, "err dup2 out: %s\n", strerror(errno)); + if (dup2(tmpfd, 0) == -1) + fprintf(stderr, "err dup2 in: %s\n", strerror(errno)); + for(tmpfd = 3; tmpfd <= FD_SETSIZE; ++tmpfd) { + close(tmpfd); + } + /* now spawn sst to take care of the rest */ + execlp(DECRYPT_PATH, DECRYPT_PATH, DECRYPT_OPT, (char *)0); + error("error: couldn't exec %s.\n", DECRYPT_PATH); + } + /* Now the pipe has been inserted. */ + } + /* insert pipe in the *READ* side, if server-side compression is desired */ compresspid = -1; if (srvcompress) { *************** *** 1290,1295 **** --- 1344,1361 ---- if(errno != ESRCH) fprintf(stderr,"%s: can't kill index command: %s\n", get_pname(),strerror(errno)); + } + } + + if(cryptpid != -1) { + killerr = kill(cryptpid,SIGTERM); + if(killerr == 0) { + fprintf(stderr,"%s: kill decrypt command\n",get_pname()); + } + else if ( killerr == -1 ) { + if(errno != ESRCH) + fprintf(stderr,"%s: can't kill decrypt command: %s\n", + get_pname(), strerror(errno)); } } *** man/amanda.8.in 2000/03/30 00:33:57 1.1 --- man/amanda.8.in 2000/03/30 00:40:21 *************** *** 802,807 **** --- 802,813 ---- Whether the backup image should be encrypted by Kerberos as it is sent across the network from the backup client host to the tape server host. .TP + .BS sencrypt boolean + Default: + .IR no . + Whether the backup image should be encrypted by SSL as it is sent + across the network from the backup client host to the tape server host. + .TP .BS maxdumps int Default: .IR 1 .